Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sinister Virus/ Antivirus 2009?


  • This topic is locked This topic is locked
39 replies to this topic

#1 mwoodruff

mwoodruff

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:04:29 AM

Posted 16 October 2009 - 01:24 PM

Unfortunately, my daughter's new, pristine hard drive got infected within a few weeks after upgrading her computer. I used Malwarebtes' software and that seemed to take care of the problem. However, I'm convinced we did not remove the offending virus as now I can't even run malwarebytes' software or other anti-virus programs. McAfee (installed on computer) has quarantined this virus, but that's about it. I'm attaching the files requested. Let me know if a current HJT log is necessary; I have one of those handy! Thanks so much in advance for your expert help!


DDS (Ver_09-10-13.01) - NTFSx86
Run by Nanny at 12:54:30.64 on Fri 10/16/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2401 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

H:WINDOWSsystem32svchost -k DcomLaunch
svchost.exe
H:WINDOWSSystem32svchost.exe -k netsvcs
svchost.exe
svchost.exe
H:WINDOWSsystem32spoolsv.exe
H:WINDOWSExplorer.EXE
H:WINDOWSRTHDCPL.EXE
H:WINDOWSsystem32RUNDLL32.EXE
H:Program FilesMcAfee.comAgentmcagent.exe
H:Program FilesHPHP Software UpdateHPWuSchd2.exe
H:Program FilesAdobePhotoshop Elements 4.0apdproxy.exe
H:Program FilesiTunesiTunesHelper.exe
H:WINDOWSsystem32ctfmon.exe
H:Program FilesAdobeAcrobat 6.0Distillracrotray.exe
H:Program FilesHPDigital Imagingbinhpqtra08.exe
H:Program FilesMicrosoft OfficeOfficeFINDFAST.EXE
H:Program FilesMicrosoft OfficeOfficeOSA.EXE
H:Program FilesHPDigital ImagingbinhpqSTE08.exe
svchost.exe
H:Program FilesAdobePhotoshop Elements 4.0PhotoshopElementsFileAgent.exe
H:Program FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exe
H:Program FilesBonjourmDNSResponder.exe
H:Program FilesGIGABYTEEnergySaverGSvr.exe
H:Program FilesMcAfeeSiteAdvisorMcSACore.exe
H:PROGRA~1McAfeeMSCmcmscsvc.exe
h:PROGRA~1COMMON~1mcafeemnamcnasvc.exe
h:PROGRA~1COMMON~1mcafeemcproxymcproxy.exe
H:PROGRA~1McAfeeVIRUSS~1mcshield.exe
H:Program FilesMcAfeeMPFMPFSrv.exe
H:WINDOWSSystem32nvsvc32.exe
H:WINDOWSSystem32svchost.exe -k imgsvc
H:Program FilesiPodbiniPodService.exe
H:WINDOWSSystem32svchost.exe -k HTTPFilter
H:PROGRA~1McAfeeVIRUSS~1mcsysmon.exe
H:Program FilesInternet Exploreriexplore.exe
H:Program FilesInternet Exploreriexplore.exe
H:Program FilesTrend MicroHijackThisHijackThis.exe
H:WINDOWSsystem32NOTEPAD.EXE
H:Program FilesInternet Exploreriexplore.exe
H:Program FilesInternet Exploreriexplore.exe
H:Documents and SettingsNannyDesktopdds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.yahoo.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com
uURLSearchHooks: DeviceVM Url Search Hook: {0063bf63-bfff-4b8f-9d26-4267df7f17dd} - h:windowssystem32dvmurl.dll
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - h:progra~1mcafeesitead~1mcieplg.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - h:program filesmcafeevirusscanscriptsn.dll
BHO: Browser Helper Object: {afd4ad01-58c1-47db-a404-fbe00a6c5486} - h:program filessharedlib.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - h:progra~1mcafeesitead~1mcieplg.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - h:program filesadobeacrobat 6.0acrobatAcroIEFavClient.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - h:progra~1mcafeesitead~1mcieplg.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - h:program filesadobeacrobat 6.0acrobatAcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] h:windowssystem32ctfmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE h:windowssystem32NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE h:windowssystem32NvMcTray.dll,NvTaskbarInit
mRun: [mcagent_exe] "h:program filesmcafee.comagentmcagent.exe" /runkey
mRun: [HP Software Update] h:program fileshphp software updateHPWuSchd2.exe
mRun: [Adobe Photo Downloader] "h:program filesadobephotoshop elements 4.0apdproxy.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "h:program filesmalwarebytes' anti-malwarembam.exe" /runcleanupscript
mRun: [QuickTime Task] "h:program filesquicktimeqttask.exe" -atboottime
mRun: [iTunesHelper] "h:program filesitunesiTunesHelper.exe"
mRun: [tolirudap] Rundll32.exe "h:windowssystem32muwumadu.dll",a
mRunOnce: [Malwarebytes' Anti-Malware] h:program filesmalwarebytes' anti-malwarembamgui.exe /install /silent
StartupFolder: h:docume~1nannystartm~1programsstartupadobeg~1.lnk - h:program filescommon filesadobecalibrationAdobe Gamma Loader.exe
StartupFolder: h:docume~1nannystartm~1programsstartupmicros~1.lnk - h:program filesmicrosoft officeofficeFINDFAST.EXE
StartupFolder: h:docume~1nannystartm~1programsstartupoffice~1.lnk - h:program filesmicrosoft officeofficeOSA.EXE
StartupFolder: h:docume~1alluse~1startm~1programsstartupacroba~1.lnk - h:program filesadobeacrobat 6.0distillracrotray.exe
StartupFolder: h:docume~1alluse~1startm~1programsstartuphpdigi~1.lnk - h:program fileshpdigital imagingbinhpqtra08.exe
IE: E&xport to Microsoft Excel - h:progra~1micros~2office12EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%Network Diagnosticxpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - h:program filesmessengermsmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - h:progra~1micros~2office12ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - h:progra~1micros~2office11REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1251542707171
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1251542697984
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Filter: text/html - {4ef5593a-19dc-42b7-a435-5eb661a4ac1a} - h:windowsbatmeter16.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - h:progra~1mcafeesitead~1McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - h:progra~1mcafeesitead~1McIEPlg.dll
AppInit_DLLs: retupodi.dll h:windowssystem32muwumadu.dll
SSODL: viluzulap - {599436b8-0af9-4790-bf85-6ae80238e045} - h:windowssystem32muwumadu.dll
STS: gahurihor: {599436b8-0af9-4790-bf85-6ae80238e045} - h:windowssystem32muwumadu.dll
LSA: Notification Packages = scecli rifojufi.dll

============= SERVICES / DRIVERS ===============

R2 GEST Service;GEST Service for program management.;h:program filesgigabyteenergysaverGSvr.exe [2009-8-29 68136]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;h:program filesmcafeesiteadvisorMcSACore.exe [2009-8-30 92296]

=============== Created Last 30 ================

2009-10-16 12:31 38,224 a------- h:windowssystem32driversmbamswissarmy.sys
2009-10-16 12:31 19,160 a------- h:windowssystem32driversmbam.sys
2009-10-16 12:31 <DIR> --d----- h:program filesMalwarebytes' Anti-Malware
2009-10-16 12:26 <DIR> --d----- h:docume~1nannyapplic~1AVG8
2009-10-13 16:26 <DIR> --d----- h:docume~1nannyapplic~1Office Genuine Advantage
2009-10-09 20:27 <DIR> --d----- h:program filesShared
2009-10-06 20:41 77,020 a---h--- h:windowssystem32mlfcache.dat
2009-09-30 22:06 <DIR> --d----- h:windowssystem32SoftwareDistribution
2009-09-20 09:41 <DIR> --d----- h:program filesiPod
2009-09-20 09:41 <DIR> --d----- h:program filesiTunes
2009-09-20 09:41 <DIR> --d----- h:docume~1alluse~1applic~1{755AC846-7372-4AC8-8550-C52491DAA8BD}

==================== Find3M ====================

2009-10-15 11:09 17,488 a------- h:windowsgdrv.sys
2009-08-29 19:00 589,824 a------- h:windowssystem32mspst32.dll
2009-08-29 17:10 21,640 a------- h:windowssystem32emptyregdb.dat
2009-08-29 16:58 109,568 -------- h:windowssystem32pxinsi64.exe
2009-08-29 16:58 108,544 -------- h:windowssystem32pxcpyi64.exe
2009-08-29 16:58 20,640 -------- h:windowssystem32driversPxHelp20.sys
2009-08-29 16:56 37,027 a------- h:windowsatmoUn.exe
2009-08-29 11:28 117,132 a------- h:windowshpoins11.dat
2009-08-29 06:21 86,327 a------- h:windowspchealthhelpctrofflinecacheindex.dat
2009-08-28 19:42 2,065,696 a------- h:windowssystem32usbaaplrc.dll
2009-08-28 19:42 40,448 a------- h:windowssystem32driversusbaapl.sys
2009-08-06 19:23 274,288 a------- h:windowssystem32mucltui.dll
2009-08-06 19:23 215,920 a------- h:windowssystem32muweb.dll
2009-08-05 04:01 204,800 a------- h:windowssystem32mswebdvd.dll
2009-08-03 15:07 403,816 a------- h:windowssystem32OGACheckControl.dll
2009-08-03 15:07 322,928 a------- h:windowssystem32OGAAddin.dll
2009-08-03 15:07 230,768 a------- h:windowssystem32OGAEXEC.exe
2009-07-28 23:37 119,808 a------- h:windowssystem32t2embed.dll
2009-07-28 23:37 81,920 a------- h:windowssystem32fontsub.dll
2009-07-15 13:15 88,576 a--sh--- h:windowssystem32besigaza.dll
2009-07-16 01:15 38,912 a--sh--- h:windowssystem32givorite.dll
2009-07-15 13:15 38,912 a--sh--- h:windowssystem32hajiruno.dll
2009-07-16 01:15 88,576 a--sh--- h:windowssystem32muwumadu.dll
2009-07-15 01:15 89,088 a--sh--- h:windowssystem32rahehuvo.dll
2009-07-14 13:15 52,224 a--sh--- h:windowssystem32retupodi.dll
2009-07-14 13:15 52,224 a--sh--- h:windowssystem32rifojufi.dll
2009-07-14 13:15 52,224 a--sh--- h:windowssystem32rokahufu.dll
2009-07-09 23:12 69,120 a--sh--- h:windowssystem32waguzora.dll
2009-07-14 13:15 52,224 a--sh--- h:windowssystem32yagowifu.dll

============= FINISH: 12:54:45.34 ===============

Edit: Also, I should add, while using the internet we get pop-ups that look like CNN news pages, but are obviously some kind of fake ad about internet security or some other such drivel. We have pop-up blocker on, of course, but since this is obviously a sophisticated virus, these are not your mama's pop-ups. My daughter is very good about not clicking on any pop-up and uses the system tray to close all her windows.

Can't wait to see what kind of crap you find on our machine!! Many regards!

Attached Files


Edited by The weatherman, 16 October 2009 - 04:34 PM.
Merged posts to keep the member on "0" replies.~Tw


BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,761 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:29 AM

Posted 16 October 2009 - 08:41 PM

Hi, mwoodruff :(

Welcome.

I wonder why the back slash is not present in that log to separate directories.

Download OTL.exe to your Desktop.
  • Close any open browsers.
  • Double-click on OTL.exe to start the program.
  • Copy the lines in the quote below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :files
    h:\windows\system32\besigaza.dll
    h:\windows\system32\givorite.dll
    h:\windows\system32\hajiruno.dll
    h:\windows\system32\muwumadu.dll
    h:\windows\system32\rahehuvo.dll
    h:\windows\system32\retupodi.dll
    h:\windows\system32\rifojufi.dll
    h:\windows\system32\rokahufu.dll
    h:\windows\system32\waguzora.dll
    h:\windows\system32\yagowifu.dll

    :reg
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Notification Packages"=hex(7):73,63,65,63,6c,69,00,00
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""

  • Return to OTL, right click in the "Custom Scans/Fixes" window and choose Paste.
  • Click the red Run Fix button.
  • The computer will restart
  • A report will be produced and saved in the C:\_OTL\MovedFiles folder. Open that report and post its contents in a reply.
  • Launch OTL.exe Once again.
  • Leave all settings as they appear as default.
  • Now click the Run Scan button on the toolbar.
  • The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Save that notepad file
Post the contents of that Notepad document in your next reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 mwoodruff

mwoodruff
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:04:29 AM

Posted 16 October 2009 - 09:43 PM

Alrighty, then. I ran OTL and the "Run Fix" option, BUT my computer did not restart as advertised in your directions. So, thinking I probably did something wrong, I repeated the directions and still did not get a restart. I did have a log pop-up automatically both times and I'm posting them both. The first run is posted first.

Following those is a copy of the "Run Scan" OTL text file. I also got an Extras.txt on my desktop; I'm attaching that too with this edit.

Thanks for your quick response. I have no idea why there isn't a back slash after the H in my earlier logs. Odd. (Actually, when I looked at the DDS.txt file saved on my desktop, it did clearly have the back slash after the H drive so I don't know why it didn't show up in my post when I copied/pasted.)



========== FILES ==========
DllUnregisterServer procedure not found in h:\windows\system32\besigaza.dll
h:\windows\system32\besigaza.dll NOT unregistered.
h:\windows\system32\besigaza.dll moved successfully.
DllUnregisterServer procedure not found in h:\windows\system32\givorite.dll
h:\windows\system32\givorite.dll NOT unregistered.
h:\windows\system32\givorite.dll moved successfully.
DllUnregisterServer procedure not found in h:\windows\system32\hajiruno.dll
h:\windows\system32\hajiruno.dll NOT unregistered.
h:\windows\system32\hajiruno.dll moved successfully.
DllUnregisterServer procedure not found in h:\windows\system32\muwumadu.dll
h:\windows\system32\muwumadu.dll NOT unregistered.
h:\windows\system32\muwumadu.dll moved successfully.
DllUnregisterServer procedure not found in h:\windows\system32\rahehuvo.dll
h:\windows\system32\rahehuvo.dll NOT unregistered.
h:\windows\system32\rahehuvo.dll moved successfully.
DllUnregisterServer procedure not found in h:\windows\system32\retupodi.dll
h:\windows\system32\retupodi.dll NOT unregistered.
h:\windows\system32\retupodi.dll moved successfully.
DllUnregisterServer procedure not found in h:\windows\system32\rifojufi.dll
h:\windows\system32\rifojufi.dll NOT unregistered.
h:\windows\system32\rifojufi.dll moved successfully.
DllUnregisterServer procedure not found in h:\windows\system32\rokahufu.dll
h:\windows\system32\rokahufu.dll NOT unregistered.
h:\windows\system32\rokahufu.dll moved successfully.
DllUnregisterServer procedure not found in h:\windows\system32\waguzora.dll
h:\windows\system32\waguzora.dll NOT unregistered.
h:\windows\system32\waguzora.dll moved successfully.
DllUnregisterServer procedure not found in h:\windows\system32\yagowifu.dll
h:\windows\system32\yagowifu.dll NOT unregistered.
h:\windows\system32\yagowifu.dll moved successfully.
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\\"Notification Packages"|hex(7):73,63,65,63,6c,69,00,00 /E : value set successfully!
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\"AppInit_DLLs"|"" /E : value set successfully!

OTL by OldTimer - Version 3.0.21.0 log created on 10162009_212727


Log #2
========== FILES ==========
File\Folder h:\windows\system32\besigaza.dll not found.
File\Folder h:\windows\system32\givorite.dll not found.
File\Folder h:\windows\system32\hajiruno.dll not found.
File\Folder h:\windows\system32\muwumadu.dll not found.
File\Folder h:\windows\system32\rahehuvo.dll not found.
File\Folder h:\windows\system32\retupodi.dll not found.
File\Folder h:\windows\system32\rifojufi.dll not found.
File\Folder h:\windows\system32\rokahufu.dll not found.
File\Folder h:\windows\system32\waguzora.dll not found.
File\Folder h:\windows\system32\yagowifu.dll not found.
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\\"Notification Packages"|hex(7):73,63,65,63,6c,69,00,00 /E : value set successfully!
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\"AppInit_DLLs"|"" /E : value set successfully!

OTL by OldTimer - Version 3.0.21.0 log created on 10162009_213008


"Run Scan" Log:

OTL logfile created on: 10/16/2009 9:32:15 PM - Run 1
OTL by OldTimer - Version 3.0.21.0 Folder = H:\Documents and Settings\Nanny\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 100.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): H:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = H: | %SystemRoot% = H:\WINDOWS | %ProgramFiles% = H:\Program Files
C: Drive not present or media not loaded
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
Drive H: | 931.50 Gb Total Space | 894.83 Gb Free Space | 96.06% Space Free | Partition Type: NTFS
I: Drive not present or media not loaded

Computer Name: NATALIE
Current User Name: Nanny
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2009/10/16 21:25:27 | 00,521,216 | ---- | M] (OldTimer Tools) -- H:\Documents and Settings\Nanny\Desktop\OTL.exe
PRC - [2009/09/08 21:09:42 | 00,305,440 | ---- | M] (Apple Inc.) -- H:\Program Files\iTunes\iTunesHelper.exe
PRC - [2009/09/08 21:09:30 | 00,545,568 | ---- | M] (Apple Inc.) -- H:\Program Files\iPod\bin\iPodService.exe
PRC - [2009/08/26 17:21:22 | 00,092,296 | ---- | M] (McAfee, Inc.) -- H:\Program Files\McAfee\SiteAdvisor\McSACore.exe
PRC - [2009/07/10 03:26:42 | 00,894,136 | ---- | M] (McAfee, Inc.) -- H:\Program Files\McAfee\MPF\MPFSrv.exe
PRC - [2009/07/10 00:26:20 | 00,865,832 | ---- | M] (McAfee, Inc.) -- H:\Program Files\McAfee\MSC\mcmscsvc.exe
PRC - [2009/07/10 00:26:20 | 00,645,328 | ---- | M] (McAfee, Inc.) -- H:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2009/07/09 12:22:18 | 00,144,712 | ---- | M] (Apple Inc.) -- H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2009/07/08 13:43:40 | 00,144,704 | ---- | M] (McAfee, Inc.) -- H:\Program Files\McAfee\VirusScan\Mcshield.exe
PRC - [2009/07/08 13:11:52 | 00,606,736 | ---- | M] (McAfee, Inc.) -- H:\Program Files\McAfee\VirusScan\mcsysmon.exe
PRC - [2009/07/08 11:54:34 | 00,359,952 | ---- | M] (McAfee, Inc.) -- h:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
PRC - [2009/07/07 19:10:02 | 02,482,848 | ---- | M] (McAfee, Inc.) -- h:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
PRC - [2009/03/08 14:09:26 | 00,638,816 | ---- | M] (Microsoft Corporation) -- H:\Program Files\Internet Explorer\iexplore.exe
PRC - [2009/02/06 15:14:34 | 00,068,136 | ---- | M] () -- H:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
PRC - [2009/01/13 01:37:06 | 18,084,864 | ---- | M] (Realtek Semiconductor Corp.) -- H:\WINDOWS\RTHDCPL.EXE
PRC - [2008/12/25 11:08:00 | 00,163,908 | ---- | M] (NVIDIA Corporation) -- H:\WINDOWS\System32\nvsvc32.exe
PRC - [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- H:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/04/13 19:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- H:\WINDOWS\Explorer.EXE
PRC - [2006/02/19 05:24:52 | 00,239,320 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- H:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
PRC - [2006/02/19 04:21:22 | 00,288,472 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- H:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
PRC - [2006/02/19 02:41:10 | 00,049,152 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- H:\Program Files\HP\HP Software Update\HPWuSchd2.exe
PRC - [2005/09/09 03:24:30 | 00,102,400 | ---- | M] () -- H:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
PRC - [2005/09/09 01:18:10 | 00,057,344 | ---- | M] (Adobe Systems Incorporated) -- H:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
PRC - [2005/01/28 13:44:28 | 00,038,912 | ---- | M] (Microsoft Corporation) -- H:\WINDOWS\System32\wdfmgr.exe
PRC - [2003/10/23 23:37:56 | 00,217,194 | ---- | M] (Adobe Systems Inc.) -- H:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
PRC - [1997/07/11 03:00:00 | 00,111,376 | ---- | M] () -- H:\Program Files\Microsoft Office\Office\FINDFAST.EXE
PRC - [1996/11/17 00:00:00 | 00,051,984 | ---- | M] () -- H:\Program Files\Microsoft Office\Office\OSA.EXE

========== Win32 Services (SafeList) ==========

SRV - [2009/09/08 21:09:30 | 00,545,568 | ---- | M] (Apple Inc.) -- H:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [On_Demand | Running])
SRV - [2009/08/26 17:21:22 | 00,092,296 | ---- | M] (McAfee, Inc.) -- H:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service [Auto | Running])
SRV - [2009/07/10 03:26:42 | 00,894,136 | ---- | M] (McAfee, Inc.) -- H:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService [Auto | Running])
SRV - [2009/07/10 00:26:20 | 00,865,832 | ---- | M] (McAfee, Inc.) -- H:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc [Auto | Running])
SRV - [2009/07/09 12:22:18 | 00,144,712 | ---- | M] (Apple Inc.) -- H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Auto | Running])
SRV - [2009/07/08 15:15:04 | 00,365,072 | ---- | M] (McAfee, Inc.) -- H:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS [On_Demand | Stopped])
SRV - [2009/07/08 13:43:40 | 00,144,704 | ---- | M] (McAfee, Inc.) -- H:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield [Unknown | Running])
SRV - [2009/07/08 13:11:52 | 00,606,736 | ---- | M] (McAfee, Inc.) -- H:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon [On_Demand | Running])
SRV - [2009/07/08 11:54:34 | 00,359,952 | ---- | M] (McAfee, Inc.) -- h:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy [Auto | Running])
SRV - [2009/07/07 19:10:02 | 02,482,848 | ---- | M] (McAfee, Inc.) -- h:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc [Auto | Running])
SRV - [2009/02/06 15:14:34 | 00,068,136 | ---- | M] () -- H:\Program Files\GIGABYTE\EnergySaver\GSvr.exe -- (GEST Service [Auto | Running])
SRV - [2008/12/25 11:08:00 | 00,163,908 | ---- | M] (NVIDIA Corporation) -- H:\WINDOWS\System32\nvsvc32.exe -- (NVSvc [Auto | Running])
SRV - [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- H:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service [Auto | Running])
SRV - [2008/04/13 19:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- H:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2006/10/26 19:49:34 | 00,441,136 | ---- | M] (Microsoft Corporation) -- H:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv [On_Demand | Stopped])
SRV - [2006/10/26 14:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- H:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
SRV - [2006/03/03 21:03:10 | 00,069,632 | ---- | M] (HP) -- H:\WINDOWS\System32\HPZipm12.exe -- (Pml Driver HPZ12 [Unknown | Stopped])
SRV - [2005/09/09 03:24:30 | 00,102,400 | ---- | M] () -- H:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor4.0 [Auto | Running])
SRV - [2005/01/28 13:44:28 | 00,038,912 | ---- | M] (Microsoft Corporation) -- H:\WINDOWS\System32\wdfmgr.exe -- (UMWdf [Auto | Running])

========== Driver Services (SafeList) ==========

DRV - [2009/10/15 11:09:38 | 00,017,488 | ---- | M] (Windows ® 2000 DDK provider) -- H:\WINDOWS\gdrv.sys -- (gdrv [On_Demand | Running])
DRV - [2009/08/29 16:58:51 | 00,020,640 | ---- | M] (Sonic Solutions) -- H:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20 [Boot | Running])
DRV - [2009/08/28 19:42:52 | 00,040,448 | ---- | M] (Apple, Inc.) -- H:\WINDOWS\System32\Drivers\usbaapl.sys -- (USBAAPL [On_Demand | Stopped])
DRV - [2009/07/16 12:32:26 | 00,120,136 | ---- | M] (McAfee, Inc.) -- H:\WINDOWS\System32\Drivers\Mpfp.sys -- (MPFP [System | Running])
DRV - [2009/07/08 13:44:20 | 00,214,024 | ---- | M] (McAfee, Inc.) -- H:\WINDOWS\System32\drivers\mfehidk.sys -- (mfehidk [System | Running])
DRV - [2009/07/08 13:44:20 | 00,079,816 | ---- | M] (McAfee, Inc.) -- H:\WINDOWS\System32\drivers\mfeavfk.sys -- (mfeavfk [On_Demand | Running])
DRV - [2009/07/08 13:44:20 | 00,040,552 | ---- | M] (McAfee, Inc.) -- H:\WINDOWS\System32\drivers\mfesmfk.sys -- (mfesmfk [On_Demand | Running])
DRV - [2009/07/08 13:44:20 | 00,035,272 | ---- | M] (McAfee, Inc.) -- H:\WINDOWS\System32\drivers\mfebopk.sys -- (mfebopk [On_Demand | Running])
DRV - [2009/07/08 13:43:46 | 00,034,248 | ---- | M] (McAfee, Inc.) -- H:\WINDOWS\System32\drivers\mferkdk.sys -- (mferkdk [On_Demand | Running])
DRV - [2009/05/18 14:17:00 | 00,026,600 | ---- | M] (GEAR Software Inc.) -- H:\WINDOWS\System32\DRIVERS\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])
DRV - [2009/01/20 05:53:06 | 05,027,840 | ---- | M] (Realtek Semiconductor Corp.) -- H:\WINDOWS\System32\drivers\RtkHDAud.sys -- (IntcAzAudAddService [On_Demand | Running])
DRV - [2008/12/25 11:08:00 | 06,301,344 | ---- | M] (NVIDIA Corporation) -- H:\WINDOWS\System32\DRIVERS\nv4_mini.sys -- (nv [On_Demand | Running])
DRV - [2008/10/30 08:14:20 | 00,117,888 | R--- | M] (Realtek Semiconductor Corporation ) -- H:\WINDOWS\System32\DRIVERS\Rtenicxp.sys -- (RTLE8023xp [On_Demand | Running])
DRV - [2008/04/13 13:40:30 | 00,096,512 | ---- | M] () -- H:\WINDOWS\System32\DRIVERS\atapi.sys -- (atapi [Boot | Running])
DRV - [2008/04/13 11:39:15 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- H:\WINDOWS\System32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2006/04/12 20:04:39 | 00,049,664 | R--- | M] (HP) -- H:\WINDOWS\System32\DRIVERS\HPZid412.sys -- (HPZid412 [On_Demand | Stopped])
DRV - [2006/04/12 20:04:39 | 00,021,568 | ---- | M] (HP) -- H:\WINDOWS\System32\DRIVERS\HPZius12.sys -- (HPZius12 [On_Demand | Stopped])
DRV - [2006/04/12 20:04:39 | 00,016,496 | R--- | M] (HP) -- H:\WINDOWS\System32\DRIVERS\HPZipr12.sys -- (HPZipr12 [On_Demand | Stopped])
DRV - [2005/01/07 17:07:18 | 00,138,752 | ---- | M] (Windows ® Server 2003 DDK provider) -- H:\WINDOWS\System32\DRIVERS\HDAudBus.sys -- (HDAudBus [On_Demand | Running])
DRV - [2003/03/31 07:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- H:\WINDOWS\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = H:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = H:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://my.yahoo.com/
IE - HKCU\..\URLSearchHook: {0063BF63-BFFF-4B8F-9D26-4267DF7F17DD} - H:\WINDOWS\System32\dvmurl.dll (DeviceVM Inc.)
IE - HKCU\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - h:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: H:\Program Files\McAfee\SiteAdvisor [2009/10/15 23:05:42 | 00,000,000 | ---D | M]


O1 HOSTS File: (734 bytes) - H:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - H:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (Browser Helper Object) - {AFD4AD01-58C1-47DB-A404-FBE00A6C5486} - H:\Program Files\Shared\lib.dll ()
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - h:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - h:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - H:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - H:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O4 - HKLM..\Run: [Adobe Photo Downloader] H:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Alcmtr] H:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [HP Software Update] H:\Program Files\HP\HP Software Update\HPWuSchd2.exe (Hewlett-Packard Development Company, L.P.)
O4 - HKLM..\Run: [iTunesHelper] H:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] H:\Program Files\Malwarebytes' Anti-Malware\mbam.exe File not found
O4 - HKLM..\Run: [mcagent_exe] H:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] H:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] H:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] H:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [QuickTime Task] H:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [RTHDCPL] H:\WINDOWS\RTHDCPL.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [tolirudap] H:\WINDOWS\System32\zezijopi.DLL ()
O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] H:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - Startup: H:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk = H:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe (Adobe Systems Inc.)
O4 - Startup: H:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk = H:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Development Company, L.P.)
O4 - Startup: H:\Documents and Settings\Nanny\Start Menu\Programs\Startup\Adobe Gamma.lnk = H:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: H:\Documents and Settings\Nanny\Start Menu\Programs\Startup\Microsoft Find Fast.lnk = H:\Program Files\Microsoft Office\Office\FINDFAST.EXE ()
O4 - Startup: H:\Documents and Settings\Nanny\Start Menu\Programs\Startup\Office Startup.lnk = H:\Program Files\Microsoft Office\Office\OSA.EXE ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - H:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - H:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - H:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - H:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/microsoftupdat...b?1251542707171 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1251542697984 (MUWebControl Class)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.188.96.2 137.192.2.3
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - h:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - H:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - H:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - H:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - H:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - H:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - H:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - H:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - H:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - h:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Filter: - text/xml - H:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (h:\windows\system32\zezijopi.dll) - H:\WINDOWS\System32\zezijopi.dll ()
O20 - AppInit_DLLs: (retupodi.dll) - File not found
O20 - AppInit_DLLs: (h:\windows\system32\besigaza.dll) - H:\WINDOWS\System32\besigaza.dll File not found
O20 - AppInit_DLLs: (h:\windows\system32\muwumadu.dll) - H:\WINDOWS\System32\muwumadu.dll File not found
O20 - AppInit_DLLs: (h:\windows\system32\rahehuvo.dll) - H:\WINDOWS\System32\rahehuvo.dll File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - H:\WINDOWS\Explorer.exe (Microsoft Corporation)
O21 - SSODL: jotaleduj - {576ec684-372e-4330-9b7c-503976b09a32} - H:\WINDOWS\System32\zezijopi.dll ()
O22 - SharedTaskScheduler: {576ec684-372e-4330-9b7c-503976b09a32} - jugezatag - H:\WINDOWS\System32\zezijopi.dll ()
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O33 - MountPoints2\{1edbddc3-94b8-11de-b832-00241d762af6}\Shell\AutoRun\command - "" = I:\setupSNK.exe -- File not found
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - H:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O35 - comfile [open] -- "%1" %* File not found
O35 - exefile [open] -- "%1" %* File not found

========== Files/Folders - Created Within 30 Days ==========

[3 H:\WINDOWS\System32\*.tmp files]
[4 H:\WINDOWS\*.tmp files]
[2009/09/20 09:41:31 | 00,000,000 | ---D | C] -- H:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/10/13 16:26:45 | 00,000,000 | ---D | C] -- H:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
[2009/10/16 12:26:27 | 00,000,000 | ---D | C] -- H:\Documents and Settings\Nanny\Application Data\AVG8
[2009/10/13 16:26:43 | 00,000,000 | ---D | C] -- H:\Documents and Settings\Nanny\Application Data\Office Genuine Advantage
[2009/09/20 09:41:33 | 00,000,000 | ---D | C] -- H:\Program Files\iPod
[2009/09/20 09:41:31 | 00,000,000 | ---D | C] -- H:\Program Files\iTunes
[2009/10/16 12:31:50 | 00,000,000 | ---D | C] -- H:\Program Files\Malwarebytes' Anti-Malware
[2009/09/26 12:02:35 | 00,000,000 | ---D | C] -- H:\Program Files\Microsoft Silverlight
[2009/09/20 09:40:08 | 00,000,000 | ---D | C] -- H:\Program Files\QuickTime
[2009/10/09 20:27:45 | 00,000,000 | ---D | C] -- H:\Program Files\Shared
[2009/10/16 21:27:27 | 00,000,000 | ---D | C] -- H:\_OTL
[2009/10/16 21:25:25 | 00,521,216 | ---- | C] (OldTimer Tools) -- H:\Documents and Settings\Nanny\Desktop\OTL.exe
[2009/10/16 12:56:50 | 00,472,064 | ---- | C] ( ) -- H:\Documents and Settings\Nanny\Desktop\RootRepeal.exe
[2009/10/16 12:31:51 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- H:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/10/16 12:31:50 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- H:\WINDOWS\System32\drivers\mbam.sys
[2009/10/16 12:22:58 | 00,000,000 | ---D | C] -- H:\WINDOWS\LastGood
[2009/10/03 11:45:03 | 00,000,000 | ---D | C] -- H:\WINDOWS\System32\zh-TW
[2009/10/03 11:45:03 | 00,000,000 | ---D | C] -- H:\WINDOWS\System32\zh-HK
[2009/10/03 11:45:03 | 00,000,000 | ---D | C] -- H:\WINDOWS\System32\tr-TR
[2009/10/03 11:45:02 | 00,000,000 | ---D | C] -- H:\WINDOWS\System32\sv-SE
[2009/10/03 11:45:02 | 00,000,000 | ---D | C] -- H:\WINDOWS\System32\pt-BR
[2009/10/03 11:45:02 | 00,000,000 | ---D | C] -- H:\WINDOWS\System32\nl-NL
[2009/10/03 11:45:02 | 00,000,000 | ---D | C] -- H:\WINDOWS\System32\nb-NO
[2009/10/03 11:45:02 | 00,000,000 | ---D | C] -- H:\WINDOWS\System32\ko-KR
[2009/10/03 11:45:02 | 00,000,000 | ---D | C] -- H:\WINDOWS\System32\it-IT
[2009/10/03 11:45:02 | 00,000,000 | ---D | C] -- H:\WINDOWS\System32\he-IL
[2009/10/03 11:45:02 | 00,000,000 | ---D | C] -- H:\WINDOWS\System32\fr-FR
[2009/10/03 11:45:02 | 00,000,000 | ---D | C] -- H:\WINDOWS\System32\fi-FI
[2009/10/03 11:45:02 | 00,000,000 | ---D | C] -- H:\WINDOWS\System32\es-ES
[2009/10/03 11:45:02 | 00,000,000 | ---D | C] -- H:\WINDOWS\System32\el-GR
[2009/10/03 11:45:02 | 00,000,000 | ---D | C] -- H:\WINDOWS\System32\de-DE
[2009/10/03 11:45:02 | 00,000,000 | ---D | C] -- H:\WINDOWS\System32\da-DK
[2009/10/03 11:45:02 | 00,000,000 | ---D | C] -- H:\WINDOWS\System32\ar-SA
[2009/09/30 22:06:53 | 00,000,000 | ---D | C] -- H:\WINDOWS\System32\SoftwareDistribution

========== Files - Modified Within 30 Days ==========

[3 H:\WINDOWS\System32\*.tmp files]
[4 H:\WINDOWS\*.tmp files]
[2009/10/16 21:33:24 | 00,011,168 | -H-- | M] () -- H:\WINDOWS\System32\vudohesu
[2009/10/16 21:25:27 | 00,521,216 | ---- | M] (OldTimer Tools) -- H:\Documents and Settings\Nanny\Desktop\OTL.exe
[2009/10/16 21:20:48 | 00,014,157 | ---- | M] () -- H:\WINDOWS\System32\Config.MPF
[2009/10/16 21:20:06 | 03,731,456 | -H-- | M] () -- H:\ffastun0.ffx
[2009/10/16 21:20:06 | 00,483,328 | -H-- | M] () -- H:\ffastun.ffl
[2009/10/16 21:20:06 | 00,196,608 | -H-- | M] () -- H:\ffastun.ffo
[2009/10/16 21:20:06 | 00,004,764 | -H-- | M] () -- H:\ffastun.ffa
[2009/10/16 12:58:21 | 00,000,000 | ---- | M] () -- H:\Documents and Settings\Nanny\Desktop\settings.dat
[2009/10/16 12:56:58 | 00,472,064 | ---- | M] ( ) -- H:\Documents and Settings\Nanny\Desktop\RootRepeal.exe
[2009/10/16 12:54:08 | 00,331,264 | ---- | M] () -- H:\Documents and Settings\Nanny\Desktop\dds.scr
[2009/10/16 00:47:12 | 00,092,672 | ---- | M] () -- H:\Documents and Settings\Nanny\My Documents\GLBF.doc
[2009/10/15 11:09:44 | 00,013,646 | ---- | M] () -- H:\WINDOWS\System32\wpa.dbl
[2009/10/15 11:09:38 | 00,017,488 | ---- | M] (Windows ® 2000 DDK provider) -- H:\WINDOWS\gdrv.sys
[2009/10/15 11:09:09 | 00,206,492 | ---- | M] () -- H:\WINDOWS\System32\nvapps.xml
[2009/10/15 11:09:08 | 00,000,236 | ---- | M] () -- H:\WINDOWS\tasks\OGALogon.job
[2009/10/15 11:09:08 | 00,000,006 | -H-- | M] () -- H:\WINDOWS\tasks\SA.DAT
[2009/10/15 11:09:06 | 00,002,048 | --S- | M] () -- H:\WINDOWS\bootstat.dat
[2009/10/15 08:39:02 | 00,000,284 | ---- | M] () -- H:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/10/15 01:00:04 | 00,000,340 | ---- | M] () -- H:\WINDOWS\tasks\McDefragTask.job
[2009/10/06 20:41:59 | 00,077,020 | -H-- | M] () -- H:\WINDOWS\System32\mlfcache.dat
[2009/10/01 01:00:07 | 00,000,332 | ---- | M] () -- H:\WINDOWS\tasks\McQcTask.job
[2009/09/30 21:51:36 | 00,031,232 | ---- | M] () -- H:\Documents and Settings\Nanny\My Documents\vermillionriverbackground9thgrade.doc
[2009/09/24 19:30:17 | 00,032,768 | ---- | M] () -- H:\Documents and Settings\Nanny\My Documents\earthscience09waterqual.doc
[2009/09/20 11:30:21 | 00,002,137 | ---- | M] () -- H:\Documents and Settings\All Users\Desktop\iTunes.lnk

========== Files - No Company Name ==========
[2009/10/16 12:58:21 | 00,000,000 | ---- | C] () -- H:\Documents and Settings\Nanny\Desktop\settings.dat
[2009/10/16 12:54:03 | 00,331,264 | ---- | C] () -- H:\Documents and Settings\Nanny\Desktop\dds.scr
[2009/10/06 20:41:59 | 00,077,020 | -H-- | C] () -- H:\WINDOWS\System32\mlfcache.dat
[2009/10/03 11:45:03 | 00,000,236 | ---- | C] () -- H:\WINDOWS\tasks\OGALogon.job
[2009/09/30 18:41:08 | 00,031,232 | ---- | C] () -- H:\Documents and Settings\Nanny\My Documents\vermillionriverbackground9thgrade.doc
[2009/09/24 19:17:34 | 00,032,768 | ---- | C] () -- H:\Documents and Settings\Nanny\My Documents\earthscience09waterqual.doc
[2009/09/20 09:42:32 | 00,002,137 | ---- | C] () -- H:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2009/09/11 16:47:56 | 00,019,581 | ---- | C] () -- H:\Program Files\Common Files\mygoqa._sy
[2009/09/11 16:47:56 | 00,019,257 | ---- | C] () -- H:\Documents and Settings\Nanny\Local Settings\Application Data\vogolotuzo._dl
[2009/09/11 16:47:56 | 00,018,579 | ---- | C] () -- H:\Documents and Settings\Nanny\Local Settings\Application Data\syluguduzu.vbs
[2009/09/11 16:47:56 | 00,018,148 | ---- | C] () -- H:\Program Files\Common Files\idehiv.exe
[2009/09/11 16:47:56 | 00,017,509 | ---- | C] () -- H:\Documents and Settings\Nanny\Local Settings\Application Data\ipowumuzy.dll
[2009/09/11 16:47:56 | 00,017,440 | ---- | C] () -- H:\Program Files\Common Files\kaly._dl
[2009/09/11 16:47:56 | 00,013,432 | ---- | C] () -- H:\Program Files\Common Files\yxudocahex.vbs
[2009/09/11 16:47:56 | 00,012,872 | ---- | C] () -- H:\Documents and Settings\All Users\Application Data\zetasoweho.lib
[2009/09/11 16:47:56 | 00,011,913 | ---- | C] () -- H:\WINDOWS\System32\sotukim.dll
[2009/09/11 16:47:56 | 00,011,707 | ---- | C] () -- H:\Documents and Settings\All Users\Application Data\byqiges.scr
[2009/09/11 16:47:56 | 00,011,596 | ---- | C] () -- H:\Program Files\Common Files\ivir.lib
[2009/09/11 16:47:56 | 00,011,519 | ---- | C] () -- H:\Program Files\Common Files\olunibik.bin
[2009/09/11 16:47:56 | 00,011,469 | ---- | C] () -- H:\Documents and Settings\Nanny\Local Settings\Application Data\ijupykug.db
[2009/09/11 16:47:56 | 00,011,271 | ---- | C] () -- H:\Program Files\Common Files\awubiqohel.ban
[2009/08/29 19:00:26 | 00,000,210 | ---- | C] () -- H:\WINDOWS\System32\sr2spec.ini
[2009/08/29 18:44:06 | 00,000,022 | ---- | C] () -- H:\WINDOWS\exchng.ini
[2009/08/29 17:15:52 | 00,000,062 | -HS- | C] () -- H:\Documents and Settings\Nanny\Application Data\desktop.ini
[2009/08/29 17:02:48 | 00,354,816 | ---- | C] () -- H:\WINDOWS\System32\psisdecd.dll
[2009/08/29 13:02:20 | 00,000,737 | ---- | C] () -- H:\WINDOWS\ODBC.INI
[2009/08/29 11:24:29 | 00,077,824 | R--- | C] () -- H:\WINDOWS\System32\HPZIDS01.dll
[2009/08/29 11:20:43 | 00,000,749 | ---- | C] () -- H:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2009/08/29 09:48:23 | 00,000,062 | -HS- | C] () -- H:\Documents and Settings\All Users\Application Data\desktop.ini
[2009/08/29 06:01:52 | 00,104,872 | ---- | C] () -- H:\Documents and Settings\Nanny\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/08/29 05:21:53 | 05,886,858 | -H-- | C] () -- H:\Documents and Settings\Nanny\Local Settings\Application Data\IconCache.db
[2009/08/29 05:21:39 | 00,096,512 | ---- | C] () -- H:\WINDOWS\System32\drivers\atapi.sys
[2009/08/03 15:07:42 | 00,403,816 | ---- | C] () -- H:\WINDOWS\System32\OGACheckControl.dll
[2009/07/16 13:15:56 | 00,089,088 | -HS- | C] () -- H:\WINDOWS\System32\zezijopi.dll
[2009/07/16 13:15:56 | 00,038,400 | -HS- | C] () -- H:\WINDOWS\System32\huvohapi.dll
[2008/12/25 11:08:00 | 01,724,416 | ---- | C] () -- H:\WINDOWS\System32\nvwdmcpl.dll
[2008/12/25 11:08:00 | 01,507,328 | ---- | C] () -- H:\WINDOWS\System32\nview.dll
[2008/12/25 11:08:00 | 01,101,824 | ---- | C] () -- H:\WINDOWS\System32\nvwimg.dll
[2008/12/25 11:08:00 | 00,466,944 | ---- | C] () -- H:\WINDOWS\System32\nvshell.dll
[2003/03/31 07:00:00 | 00,020,580 | ---- | C] () -- H:\WINDOWS\batmeter16.dll
[2003/03/31 07:00:00 | 00,000,638 | ---- | C] () -- H:\WINDOWS\win.ini
[2003/03/31 07:00:00 | 00,000,231 | ---- | C] () -- H:\WINDOWS\system.ini
[2001/07/07 03:00:00 | 00,003,399 | ---- | C] () -- H:\WINDOWS\System32\hptcpmon.ini
[1996/11/17 00:00:00 | 00,022,016 | ---- | C] () -- H:\WINDOWS\System32\ODBCSTF.DLL
[1996/11/17 00:00:00 | 00,022,016 | ---- | C] () -- H:\WINDOWS\System32\DOCOBJ.DLL
[1996/11/17 00:00:00 | 00,012,288 | ---- | C] () -- H:\WINDOWS\System32\HLINKPRX.DLL
< End of report >




Good Luck!

Attached Files


Edited by mwoodruff, 16 October 2009 - 11:18 PM.


#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,761 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:29 AM

Posted 17 October 2009 - 12:03 AM

Hi, mwoodruff :(

I still see some suspicious files.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:

    Posted Image

    Posted Image

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

    • Copy the entire contents of the Quote Box below to Notepad.
    • Name the file as CFScript.txt
    • Change the Save as Type to All Files
    • and Save it on the desktop

    Suspect::
    H:\Program Files\Common Files\mygoqa._sy
    H:\Documents and Settings\Nanny\Local Settings\Application Data\vogolotuzo._dl
    H:\Documents and Settings\Nanny\Local Settings\Application Data\syluguduzu.vbs
    H:\Program Files\Common Files\idehiv.exe
    H:\Documents and Settings\Nanny\Local Settings\Application Data\ipowumuzy.dll
    H:\Program Files\Common Files\kaly._dl
    H:\Program Files\Common Files\yxudocahex.vbs
    H:\Documents and Settings\All Users\Application Data\zetasoweho.lib
    H:\WINDOWS\System32\sotukim.dll
    H:\Documents and Settings\All Users\Application Data\byqiges.scr
    H:\Program Files\Common Files\ivir.lib
    H:\Program Files\Common Files\olunibik.bin
    H:\Documents and Settings\Nanny\Local Settings\Application Data\ijupykug.db
    H:\Program Files\Common Files\awubiqohel.ban

    Registry::
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Notification Packages"=hex(7):73,63,65,63,6c,69,00,00
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""


    Posted Image

    Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" .
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Additionally, when CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.

Edited by JSntgRvr, 17 October 2009 - 12:05 AM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 mwoodruff

mwoodruff
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:04:29 AM

Posted 17 October 2009 - 11:28 AM

I followed your directions and am receiving a message box after I drag the .txt file over to the .exe file. It looks like ComboFix is working (little box on screen with a meter) but after it "loads" I get an error message. It says "Some installation files are corrupt. Please download a fresh copy and retry the installation." Is this legit? Should I do this? I have never had ComboFix on this, or any, computer before.

Thanks!

#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,761 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:29 AM

Posted 17 October 2009 - 11:43 AM

I followed your directions and am receiving a message box after I drag the .txt file over to the .exe file. It looks like ComboFix is working (little box on screen with a meter) but after it "loads" I get an error message. It says "Some installation files are corrupt. Please download a fresh copy and retry the installation." Is this legit? Should I do this? I have never had ComboFix on this, or any, computer before.

Thanks!

Remove the copy you downloaded and download a fresh one.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 mwoodruff

mwoodruff
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:04:29 AM

Posted 17 October 2009 - 12:01 PM

Thanks, JSntgRvr. I actually did that (since I don't like being stumped) and that worked better. ComboFix downloaded the Windows Recovery Console (we didn't have that) and then went on its merry way. During its run, it found rootkit activity and shut down the computer. Computer started back up and ComboFix continued. When it finished, it found some other malware which it sent somewhere for investigation. Also, since I've been typing this message I have received NO pop-ups regarding security updates or other garbage! Awesome! Here's my log:

ComboFix 09-10-16.09 - Nanny 10/17/2009 11:43.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2889 [GMT -5:00]
Running from: h:\documents and settings\Nanny\Desktop\Combo-Fix.exe
Command switches used :: h:\documents and settings\Nanny\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Resident AV is active


file zipped: h:\windows\system32\sotukim.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

h:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
h:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
h:\documents and settings\Nanny\Cookies\evygujozus.inf
h:\documents and settings\Nanny\Cookies\maqucyzihu._dl
h:\documents and settings\Nanny\Local Settings\Application Data\syluguduzu.vbs
h:\documents and settings\Nanny\Local Settings\Temporary Internet Files\ijyk._sy
h:\documents and settings\Nanny\Local Settings\Temporary Internet Files\inekujojo._sy
h:\documents and settings\Nanny\Local Settings\Temporary Internet Files\kajid.lib
h:\documents and settings\Nanny\Local Settings\Temporary Internet Files\oxoqubas.pif
h:\program files\Common Files\yxudocahex.vbs
h:\program files\Shared\lib.dll
h:\program files\Shared\lib.sig
h:\windows\batmeter16.dll
h:\windows\ohewaqutar.exe
h:\windows\paliwikof._sy
h:\windows\system32\gasahamo.dll.tmp
h:\windows\system32\huvohapi.dll
h:\windows\system32\mabokiyu.dll.tmp
h:\windows\system32\movunayu.exe
h:\windows\system32\vogalode.dll.tmp
h:\windows\system32\zezijopi.dll

----- BITS: Possible infected sites -----

hxxp://82.98.235.208
Infected copy of h:\windows\system32\drivers\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :^)
.
((((((((((((((((((((((((( Files Created from 2009-09-17 to 2009-10-17 )))))))))))))))))))))))))))))))
.

2009-10-17 02:27 . 2009-10-17 02:27 -------- d-----w- H:\_OTL
2009-10-16 17:31 . 2009-09-10 19:54 38224 ----a-w- h:\windows\system32\drivers\mbamswissarmy.sys
2009-10-16 17:31 . 2009-10-16 17:41 -------- d-----w- h:\program files\Malwarebytes' Anti-Malware
2009-10-16 17:31 . 2009-09-10 19:53 19160 ----a-w- h:\windows\system32\drivers\mbam.sys
2009-10-16 17:26 . 2009-10-16 17:26 -------- d-----w- h:\documents and settings\Nanny\Application Data\AVG8
2009-10-13 21:26 . 2009-10-13 21:26 -------- d-----w- h:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-10-13 21:26 . 2009-10-13 21:26 -------- d-----w- h:\documents and settings\Nanny\Application Data\Office Genuine Advantage
2009-10-10 01:27 . 2009-10-17 16:47 -------- d-----w- h:\program files\Shared
2009-10-07 01:41 . 2009-10-07 01:41 77020 ---ha-w- h:\windows\system32\mlfcache.dat
2009-10-03 16:39 . 2009-10-03 16:39 -------- d-----w- h:\documents and settings\LocalService\Application Data\McAfee
2009-09-26 17:02 . 2009-09-26 17:02 -------- d-----w- h:\program files\Microsoft Silverlight
2009-09-20 14:41 . 2009-09-20 14:41 -------- d-----w- h:\program files\iPod
2009-09-20 14:41 . 2009-09-20 14:42 -------- d-----w- h:\program files\iTunes
2009-09-20 14:41 . 2009-09-20 14:42 -------- d-----w- h:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-20 14:40 . 2009-09-20 14:40 -------- d-----w- h:\program files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-17 16:42 . 2009-08-29 10:26 17488 ----a-w- h:\windows\gdrv.sys
2009-10-07 03:42 . 2009-08-29 11:13 -------- d-----w- h:\program files\McAfee
2009-10-03 01:25 . 2009-08-30 15:19 -------- d-----w- h:\documents and settings\LocalService\Application Data\SACore
2009-09-30 23:57 . 2009-08-29 11:25 -------- d-----w- h:\documents and settings\All Users\Application Data\McAfee
2009-09-20 14:43 . 2009-08-29 23:40 -------- d-----w- h:\documents and settings\Nanny\Application Data\Apple Computer
2009-09-20 14:41 . 2009-08-30 03:04 -------- d-----w- h:\program files\Common Files\Apple
2009-09-13 01:24 . 2009-09-13 01:24 -------- d-----w- h:\program files\Trend Micro
2009-09-13 00:39 . 2009-09-13 00:39 -------- d-----w- h:\documents and settings\Nanny\Application Data\Malwarebytes
2009-09-13 00:39 . 2009-09-13 00:39 -------- d-----w- h:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-30 15:18 . 2009-08-30 15:18 -------- d-----w- h:\windows\system32\config\systemprofile\Application Data\SACore
2009-08-30 11:28 . 2009-08-29 11:27 -------- d-----w- h:\documents and settings\All Users\Application Data\SiteAdvisor
2009-08-30 08:01 . 2009-08-30 00:05 -------- d-----w- h:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-30 08:00 . 2009-08-30 08:00 -------- d-----w- h:\program files\MSXML 4.0
2009-08-30 04:15 . 2009-08-30 04:06 -------- d-----w- h:\program files\PhotoFiltre
2009-08-30 03:29 . 2009-08-29 23:38 -------- d-----w- h:\documents and settings\All Users\Application Data\Apple
2009-08-30 03:04 . 2009-08-30 03:04 -------- d-----w- h:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-08-30 03:04 . 2009-08-29 23:38 -------- d-----w- h:\documents and settings\All Users\Application Data\Apple Computer
2009-08-30 03:04 . 2009-08-30 03:04 -------- d-----w- h:\program files\Bonjour
2009-08-30 00:46 . 2009-08-29 11:01 104872 ----a-w- h:\documents and settings\Nanny\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-30 00:07 . 2009-08-30 00:07 -------- d-----w- h:\program files\Microsoft Works
2009-08-29 23:38 . 2009-08-29 23:38 -------- d-----w- h:\program files\Apple Software Update
2009-08-29 23:37 . 2009-08-29 23:37 -------- d-----w- h:\program files\Apple
2009-08-29 22:26 . 2009-08-29 22:26 -------- d-----w- h:\documents and settings\All Users\Application Data\espionServerData
2009-08-29 22:15 . 2009-08-29 21:50 -------- d-----w- h:\program files\Common Files\Adobe
2009-08-29 22:12 . 2009-08-29 22:12 -------- d-----w- h:\program files\microsoft frontpage
2009-08-29 22:10 . 2009-08-29 22:10 21640 ----a-w- h:\windows\system32\emptyregdb.dat
2009-08-29 21:58 . 2009-08-29 22:01 20640 ------w- h:\windows\system32\drivers\PxHelp20.sys
2009-08-29 21:58 . 2009-08-29 22:01 109568 ------w- h:\windows\system32\pxinsi64.exe
2009-08-29 21:58 . 2009-08-29 22:01 108544 ------w- h:\windows\system32\pxcpyi64.exe
2009-08-29 21:56 . 2009-08-29 21:52 -------- d-----w- h:\documents and settings\Nanny\Application Data\AdobeUM
2009-08-29 21:56 . 2009-08-29 21:56 37027 ----a-w- h:\windows\atmoUn.exe
2009-08-29 21:56 . 2009-08-29 21:56 -------- d-----w- h:\program files\Viewpoint
2009-08-29 21:56 . 2009-08-29 21:56 -------- d-----w- h:\documents and settings\All Users\Application Data\Viewpoint
2009-08-29 16:29 . 2009-08-29 16:28 -------- d-----w- h:\documents and settings\Nanny\Application Data\HP
2009-08-29 16:28 . 2009-08-29 16:20 117132 ----a-w- h:\windows\hpoins11.dat
2009-08-29 16:28 . 2009-08-29 16:28 -------- d-----w- h:\documents and settings\All Users\Application Data\HP
2009-08-29 16:27 . 2009-08-29 16:26 -------- d-----w- h:\program files\Common Files\HP
2009-08-29 16:27 . 2009-08-29 16:22 -------- d-----w- h:\program files\HP
2009-08-29 16:25 . 2009-08-29 16:25 -------- d-----w- h:\program files\Hewlett-Packard
2009-08-29 16:25 . 2009-08-29 16:25 -------- d-----w- h:\program files\Common Files\Hewlett-Packard
2009-08-29 11:27 . 2009-08-29 11:26 -------- d-----w- h:\program files\Common Files\McAfee
2009-08-29 11:26 . 2009-08-29 11:26 -------- d-----w- h:\program files\McAfee.com
2009-08-29 10:32 . 2009-08-29 10:32 -------- d-----w- h:\program files\Common Files\Wise Installation Wizard
2009-08-29 10:23 . 2009-08-29 10:23 -------- d-----w- h:\program files\Realtek
2009-08-29 10:23 . 2009-08-29 10:20 -------- d--h--w- h:\program files\InstallShield Installation Information
2009-08-29 10:21 . 2009-08-29 10:21 -------- d-----w- h:\program files\Intel
2009-08-29 10:21 . 2009-08-29 10:21 -------- d-----w- h:\program files\Browser Configuration Utility
2009-08-29 10:20 . 2009-08-29 10:20 -------- d-----w- h:\program files\GIGABYTE
2009-08-29 10:20 . 2009-08-29 10:20 -------- d-----w- h:\program files\Common Files\InstallShield
2009-08-29 00:42 . 2009-08-30 03:04 40448 ----a-w- h:\windows\system32\drivers\usbaapl.sys
2009-08-29 00:42 . 2009-08-30 03:04 2065696 ----a-w- h:\windows\system32\usbaaplrc.dll
2009-08-07 00:24 . 2009-08-29 10:45 327896 ----a-w- h:\windows\system32\wucltui.dll
2009-08-07 00:24 . 2008-10-16 19:12 209632 ----a-w- h:\windows\system32\wuweb.dll
2009-08-07 00:24 . 2009-08-29 10:45 44768 ----a-w- h:\windows\system32\wups2.dll
2009-08-07 00:24 . 2009-08-29 10:45 35552 ----a-w- h:\windows\system32\wups.dll
2009-08-07 00:24 . 2009-08-29 22:09 53472 ----a-w- h:\windows\system32\wuauclt.exe
2009-08-07 00:24 . 2003-03-31 12:00 96480 ----a-w- h:\windows\system32\cdm.dll
2009-08-07 00:23 . 2009-08-29 10:45 575704 ----a-w- h:\windows\system32\wuapi.dll
2009-08-07 00:23 . 2009-08-29 22:09 1929952 ----a-w- h:\windows\system32\wuaueng.dll
2009-08-07 00:23 . 2009-08-29 10:46 274288 ----a-w- h:\windows\system32\mucltui.dll
2009-08-07 00:23 . 2008-10-16 19:07 215920 ----a-w- h:\windows\system32\muweb.dll
2009-08-05 09:01 . 2003-03-31 12:00 204800 ----a-w- h:\windows\system32\mswebdvd.dll
2009-08-03 20:07 . 2009-08-03 20:07 403816 ----a-w- h:\windows\system32\OGACheckControl.dll
2009-08-03 20:07 . 2009-08-03 20:07 322928 ----a-w- h:\windows\system32\OGAAddin.dll
2009-08-03 20:07 . 2009-08-03 20:07 230768 ----a-w- h:\windows\system32\OGAEXEC.exe
2009-07-29 04:37 . 2003-03-31 12:00 81920 ----a-w- h:\windows\system32\fontsub.dll
2009-07-29 04:37 . 2003-03-31 12:00 119808 ----a-w- h:\windows\system32\t2embed.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="h:\windows\System32\NvCpl.dll" [2008-12-25 13680640]
"NvMediaCenter"="h:\windows\System32\NvMcTray.dll" [2008-12-25 86016]
"mcagent_exe"="h:\program files\McAfee.com\Agent\mcagent.exe" [2009-07-10 645328]
"HP Software Update"="h:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"Adobe Photo Downloader"="h:\program files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 57344]
"QuickTime Task"="h:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="h:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
"RTHDCPL"="RTHDCPL.EXE" - h:\windows\RTHDCPL.EXE [2009-01-13 18084864]
"nwiz"="nwiz.exe" - h:\windows\system32\nwiz.exe [2008-12-25 1657376]

h:\documents and settings\Nanny\Start Menu\Programs\Startup\
Adobe Gamma.lnk - h:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-9-9 113664]
Microsoft Find Fast.lnk - h:\program files\Microsoft Office\Office\FINDFAST.EXE [1996-11-17 111376]
Office Startup.lnk - h:\program files\Microsoft Office\Office\OSA.EXE [1996-11-17 51984]

h:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - h:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-23 217194]
HP Digital Imaging Monitor.lnk - h:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"h:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"h:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"h:\\Program Files\\iTunes\\iTunes.exe"=
"h:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R2 GEST Service;GEST Service for program management.;h:\program files\GIGABYTE\EnergySaver\GSvr.exe [8/29/2009 5:20 AM 68136]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;h:\program files\McAfee\SiteAdvisor\McSACore.exe [8/30/2009 6:28 AM 92296]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"h:\windows\system32\rundll32.exe" "h:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-10-15 h:\windows\Tasks\AppleSoftwareUpdate.job
- h:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-10-15 h:\windows\Tasks\McDefragTask.job
- h:\progra~1\mcafee\mqc\QcConsol.exe [2009-08-29 02:26]

2009-10-01 h:\windows\Tasks\McQcTask.job
- h:\progra~1\mcafee\mqc\QcConsol.exe [2009-08-29 02:26]

2009-10-17 h:\windows\Tasks\OGALogon.job
- h:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - h:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Malwarebytes Anti-Malware (reboot) - h:\program files\Malwarebytes' Anti-Malware\mbam.exe
HKLM-Run-tolirudap - h:\windows\system32\zezijopi.dll
SharedTaskScheduler-{576ec684-372e-4330-9b7c-503976b09a32} - h:\windows\system32\zezijopi.dll
SSODL-jotaleduj-{576ec684-372e-4330-9b7c-503976b09a32} - h:\windows\system32\zezijopi.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-17 11:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a5,a8,d1,7f,04,6e,b6,40,ad,fa,6d,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a5,a8,d1,7f,04,6e,b6,40,ad,fa,6d,\
.
Completion time: 2009-10-17 11:51
ComboFix-quarantined-files.txt 2009-10-17 16:50

Pre-Run: 960,920,866,816 bytes free
Post-Run: 961,678,049,280 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
h:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

234 --- E O F --- 2009-10-03 16:45
Upload was successful

#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,761 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:29 AM

Posted 17 October 2009 - 03:21 PM

Download GMER from Here. Note the file's name and save it to your root folder, such as C:\.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "No", save the log and post back the results.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 mwoodruff

mwoodruff
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:04:29 AM

Posted 17 October 2009 - 09:21 PM

JSntgRvr,

When you said that the GMER scan could take some time, did you mean it could take hours?! It's been scanning for 3+ hours and has been scanning my McAfee quarantined files for at least 2 hours. If this seems normal, great. If not, any suggestions?!

Thanks!

#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,761 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:29 AM

Posted 17 October 2009 - 11:42 PM

JSntgRvr,

When you said that the GMER scan could take some time, did you mean it could take hours?! It's been scanning for 3+ hours and has been scanning my McAfee quarantined files for at least 2 hours. If this seems normal, great. If not, any suggestions?!

Thanks!

No. If should not take that long. Instead, run and update Malwarebytes as follows:
  • Lauch and update Malwarebytes' Anti-Malware.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,761 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:29 AM

Posted 18 October 2009 - 12:07 AM

In addition, please follow these steps:

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :filefind
    Atapi.sys

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#12 mwoodruff

mwoodruff
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:04:29 AM

Posted 18 October 2009 - 12:17 AM

Ok, here's a copy of the Malwarebyte's quick scan:

Malwarebytes' Anti-Malware 1.41
Database version: 2977
Windows 5.1.2600 Service Pack 3

10/18/2009 12:04:43 AM
mbam-log-2009-10-18 (00-04-43).txt

Scan type: Quick Scan
Objects scanned: 95072
Time elapsed: 2 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Here's the results of the SystemLook scan:

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 00:11 on 18/10/2009 by Nanny (Administrator - Elevation successful)

========== filefind ==========

Searching for "Atapi.sys"
H:\WINDOWS\$NtServicePackUninstall$\atapi.sys -----c 95360 bytes [11:15 29/08/2009] [05:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
H:\WINDOWS\ServicePackFiles\i386\atapi.sys ------ 96512 bytes [05:59 04/08/2004] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
H:\WINDOWS\system32\dllcache\atapi.sys --a--c 96512 bytes [10:21 29/08/2009] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
H:\WINDOWS\system32\drivers\atapi.sys --a--- 96512 bytes [10:21 29/08/2009] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
H:\WINDOWS\system32\ReinstallBackups\0007\DriverFiles\i386\atapi.sys --a--- 86912 bytes [10:21 29/08/2009] [12:00 31/03/2003] 95B858761A00E1D4F81F79A0DA019ACA
H:\WINDOWS\system32\ReinstallBackups\0008\DriverFiles\i386\atapi.sys --a--- 86912 bytes [10:21 29/08/2009] [06:27 29/08/2002] 95B858761A00E1D4F81F79A0DA019ACA

-=End Of File=-






Let me know if you want me to try that GMER again. That has me stumped. I don't like being stumped!! Many thanks!

#13 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,761 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:29 AM

Posted 18 October 2009 - 10:28 AM

Lets replace the Atapi.sys file, then we can try GMER once again.
  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CopyFile.bat
  • Change the Save as Type to All Files
  • and Save it on the desktop
  • Once saved, double click on the CopyFile.bat file. That should copy the file to the H:\ folder.

@echo off
Copy H:\WINDOWS\ServicePackFiles\i386\atapi.sys H:\
exit


1. Please download The Avenger by Swandog46 to your Desktop.
  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Begin copying here:
Files to move:
H:\atapi.sys H:\WINDOWS\system32\drivers\atapi.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#14 mwoodruff

mwoodruff
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:04:29 AM

Posted 18 October 2009 - 11:44 AM

I'll follow your instructions soon. Should I disable my antivirus software and disconnect from the internet while I'm doing this? (After I've downloaded the appropriate programs, of course.)

#15 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,761 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:29 AM

Posted 18 October 2009 - 01:00 PM

I'll follow your instructions soon. Should I disable my antivirus software and disconnect from the internet while I'm doing this? (After I've downloaded the appropriate programs, of course.)

Yes. Every time you have to use a tool, you must disable your security as it may interfere.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users